Use Cases
Doctor
The doctor should be able to view the medical history of his own patients and any patient that he has an appointment with, but should not be able to simply peruse other patient files
The check up notes include all the medical information, the depression survey and the doctors notes on the session
The doctor can recommend that a patient be dropped but cannot drop. Only the researcher can do that
Patient
The patient should be able to see their own records, but not edit them. If they want to change something they will need to pass their request through the doctor who will inform the researchers
Researcher
The researchers should have extensive rights in the database, but not administrative rights. They--and no one else--should be able to open the table that contains the assignments of patients to a group. But they will need to make summary reports based on the groups.
Researches should be able to run their own adhoc queries and create their own procedures and views